Perl script that checks or rebuilds FIPS hash files. This works on
authorDr. Stephen Henson <steve@openssl.org>
Thu, 14 Apr 2005 20:44:06 +0000 (20:44 +0000)
committerDr. Stephen Henson <steve@openssl.org>
Thu, 14 Apr 2005 20:44:06 +0000 (20:44 +0000)
both Unix and Windows.

Merge all FIPS hash files into a single hash file fips/fips.sha1

fips/fipshashes.sha1 [new file with mode: 0644]
util/checkhash.pl [new file with mode: 0644]

diff --git a/fips/fipshashes.sha1 b/fips/fipshashes.sha1
new file mode 100644 (file)
index 0000000..8c43b00
--- /dev/null
@@ -0,0 +1,29 @@
+HMAC-SHA1(fips.c)= 4eef19c535c1f3deacdf93eb806479ea3b374115
+HMAC-SHA1(fips_err_wrapper.c)= d3e2be316062510312269e98f964cb87e7577898
+HMAC-SHA1(fips.h)= 9a7c66b93923f83dc0a9c4acd03506059ddafe5f
+HMAC-SHA1(fips_err.h)= 03468e3b593f7528fd934e49bf052c23cc98d301
+HMAC-SHA1(aes/fips_aes_core.c)= b70bbbd675efe0613da0d57055310926a0104d55
+HMAC-SHA1(aes/fips_aes_selftest.c)= 98b01502221e7fe529fd981222f2cbb52eb4cbe0
+HMAC-SHA1(aes/fips_aes_locl.h)= a98eb0aa449f1d95b8064e261b2ac2b1f328685e
+HMAC-SHA1(des/fips_des_enc.c)= 9527f8ea81602358f1aa11348237fdb1e9eeff32
+HMAC-SHA1(des/asm/fips-dx86-elf.s)= 2f85e8e86806c92ee4c12cf5354e19eccf6ed47d
+HMAC-SHA1(des/fips_des_selftest.c)= 3bc574e51647c5f5ab45d1007b2cf461d67764a9
+HMAC-SHA1(des/fips_set_key.c)= 2858450d3d9c8d4ab8edea683baa54fa34f3a605
+HMAC-SHA1(des/fips_des_locl.h)= 7053848e884df47f06de9f2248380b92e58ef4e5
+HMAC-SHA1(dh/fips_dh_check.c)= 63347e2007e224381d4a7b6d871633889de72cf3
+HMAC-SHA1(dh/fips_dh_gen.c)= 93fe69b758ca9d70d70cda1c57fff4eb5c668e85
+HMAC-SHA1(dh/fips_dh_key.c)= 7bf23b329a776953bbe7c30ebd7f9faf5249ddbe
+HMAC-SHA1(dsa/fips_dsa_ossl.c)= d5f718695397fe56d6bb46f7c410794cb895e206
+HMAC-SHA1(dsa/fips_dsa_gen.c)= c252db14699f3ff641db052311da7d7521569c53
+HMAC-SHA1(dsa/fips_dsa_selftest.c)= 4bfc5d3a6b977527b053f3a03d0760a822a26135
+HMAC-SHA1(rand/fips_rand.c)= 5dc4aa11c0377a049bee01d427e5b0bc3dd9f10f
+HMAC-SHA1(rand/fips_rand.h)= 0567b1fe9b0efe034a537f335659b0b681809791
+HMAC-SHA1(rsa/fips_rsa_eay.c)= eabab59a2f11f3da4c21e1144efe1684f5e8f1ec
+HMAC-SHA1(rsa/fips_rsa_gen.c)= 4bbc0afcade1ac53f469aaa89f84c413678254bf
+HMAC-SHA1(rsa/fips_rsa_selftest.c)= 70553a5212e86f65b068564946d39b738a201e22
+HMAC-SHA1(sha1/fips_sha1dgst.c)= 10575600a9540eb15188a7d3b0b031e60aedbc18
+HMAC-SHA1(sha1/fips_standalone_sha1.c)= 93203c569097189b47a0085bc9fc55193867d4ce
+HMAC-SHA1(sha1/fips_sha1_selftest.c)= 98910a0c85eff1688bd7adb23e738dc75b39546e
+HMAC-SHA1(sha1/asm/sx86-elf.s)= ae66fb23ab8e1a2287e87a0a2dd30a4b9039fe63
+HMAC-SHA1(sha1/fips_sha_locl.h)= c1b4c82eec5f0ee119658456690f3ea9d77ed1c5
+HMAC-SHA1(sha1/fips_md32_common.h)= 08a057a7b94acf5df4301ea6c894ce14082e1ec4
diff --git a/util/checkhash.pl b/util/checkhash.pl
new file mode 100644 (file)
index 0000000..c7c8a6d
--- /dev/null
@@ -0,0 +1,181 @@
+#!/usr/local/bin/perl -w
+
+my $change_dir = "";
+my $check_program = "sha1/fips_standalone_sha1";
+
+my $verbose = 0;
+my $badfiles = 0;
+my $rebuild = 0;
+my $force_rewrite = 0;
+my $hash_file = "fipshashes.sha1";
+my $recurse = 0;
+
+my @fingerprint_files;
+
+while (@ARGV)
+       {
+       my $arg = $ARGV[0];
+       if ($arg eq "-chdir")
+               {
+               shift @ARGV;
+               $change_dir = shift @ARGV;
+               }
+       elsif ($arg eq "-rebuild")
+               {
+               shift @ARGV;
+               $rebuild = 1;
+               }
+       elsif ($arg eq "-verbose")
+               {
+               shift @ARGV;
+               $verbose = 1;
+               }
+       elsif ($arg eq "-force-rewrite")
+               {
+               shift @ARGV;
+               $force_rewrite = 1;
+               }
+       elsif ($arg eq "-hash_file")
+               {
+               shift @ARGV;
+               $hash_file = shift @ARGV;
+               }
+       elsif ($arg eq "-recurse")
+               {
+               shift @ARGV;
+               $recurse = 1;
+               }
+       elsif ($arg eq "-program_path")
+               {
+               shift @ARGV;
+               $check_program = shift @ARGV;
+               }
+       else
+               {
+               die "Unknown Option $arg";
+               }
+
+       }
+
+chdir $change_dir if $change_dir ne "";
+
+if ($recurse)
+       {
+       @fingerprint_files = ("fingerprint.sha1",
+                               <*/fingerprint.sha1>);
+       }
+else
+       {
+       push @fingerprint_files, $hash_file;
+       }
+
+foreach $fp (@fingerprint_files)
+       {
+       open(IN, "$fp") || die "Can't open file $fp";
+       print STDERR "Opening Fingerprint file $fp\n" if $verbose;
+       my $dir = $fp;
+       $dir =~ s/[^\/]*$//;
+       while (<IN>)
+               {
+               chomp;
+               if (!(($file, $hash) = /^HMAC-SHA1\((.*)\)\s*=\s*(\w*)$/))
+                       {
+                       print STDERR "FATAL: Invalid syntax in file $fp\n";
+                       print STDERR "Line:\n$_\n";
+                       fatal_error();
+                       }
+               if (!$rebuild && length($hash) != 40)
+                       {
+                       print STDERR "FATAL: Invalid hash length in $fp for file $file\n";
+                       fatal_error();
+                       }
+               push @hashed_files, "$dir$file";
+               if (exists $hashes{"$dir$file"})
+                       {
+                       print STDERR "FATAL: Duplicate Hash file $dir$file\n";
+                       fatal_error();
+                       }
+               if (! -r "$dir$file")
+                       {
+                       print STDERR "FATAL: Can't access $dir$file\n";
+                       fatal_error();
+                       }
+               $hashes{"$dir$file"} = $hash;
+               }
+       close IN;
+       }
+
+@checked_hashes = `$check_program @hashed_files`;
+
+if ($? != 0)
+       {
+       print STDERR "Error running hash program $check_program\n";
+       fatal_error();
+       }
+
+if (@checked_hashes != @hashed_files)
+       {
+       print STDERR "FATAL: hash count incorrect\n";
+       fatal_error();
+       }
+
+foreach (@checked_hashes)
+       {
+       chomp;
+       if (!(($file, $hash) = /^HMAC-SHA1\((.*)\)\s*=\s*(\w*)$/))
+               {
+               print STDERR "FATAL: Invalid syntax in file $fp\n";
+               print STDERR "Line:\n$_\n";
+               fatal_error();
+               }
+       if (length($hash) != 40)
+               {
+               print STDERR "FATAL: Invalid hash length for file $file\n";
+               fatal_error();
+               }
+       if ($hash ne $hashes{$file})
+               {
+               if ($rebuild)
+                       {
+                       print STDERR "Updating hash on file $file\n";
+                       $hashes{$file} = $hash;
+                       }
+               else
+                       {
+                       print STDERR "Hash check failed for file $file\n";
+                       }
+               $badfiles++;
+               }
+       elsif ($verbose)
+               { print "Hash Check OK for $file\n";}
+       }
+       
+
+if ($badfiles && !$rebuild)
+       {
+       print STDERR "FATAL: hash mismatch on $badfiles files\n";
+       fatal_error();
+       }
+
+if ($badfiles || $force_rewrite)
+       {
+       print "Updating Hash file $hash_file\n";
+       open OUT, ">$hash_file" || die "Error rewriting $hash_file";
+       foreach (@hashed_files)
+               {
+               print OUT "HMAC-SHA1($_)= $hashes{$_}\n";
+               }
+       close OUT;
+       }
+
+if (!$badfiles)
+       {
+       print "FIPS hash check successful\n";
+       }
+
+
+sub fatal_error
+       {
+       print STDERR "*** Your source code does not match the FIPS validated source ***\n";
+       exit 1;
+       }